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(54) Communication control system and method for supervising a failure 



(57) It is an object of the present invention to accu- 
rately extract all failures occurring in a unit as hard sig- 
nals and use the hard signals to completely cut off the 
faulty unit's communications for the purpose of main- 
taining the communications among the other units. 

Disclosed is a communication control system com- 
prising a plurality of control units (10A-N, 50, 90) which 
are connected via a communication bus (1 00) to provide 
bidirectional communication. A control unit detects a 
failure when it occurs. Upon failure detection, the control 
unit generates a failure detection signal, which operates 
a communication signal cutoff means (30-32, 54) to cut 
off the communication signal transmission from the con- 
trol unit. In accordance with the communication signal 
reception state in a control unit other than the control 
unit in which the failure is detected, the former control 
unit identifies a failure occurrence in the latterfaulty con- 
trol unit. . 
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Description 

BACKGROUND OF THE INVENTION 
Field of the Invention 



[0001 J The present invention relates to a communica- 
tion control system comprising a plurality of control units 
and to a failure supervising method. It particularly re- 
lates to a communication control system which has a 
function to detect a failure and perform a fail-safe when 
the failure occurred in at least one of said control units, 
and relates to a failure supervising method for realizing 
the fail-safe function. 

Prior Art 

[0002] When a failure occurred in at least one of the 
control units within a conventional communication con- 
trol system comprising a plurality of control units, the 
faulty control unit performs a systematic fail-safe by 
turning on a warning lamp of itself in order to inform a 
user of the failure or by cutting off the control signal 
transmission to an actuator or by shutting off the power 
supply to an actuator control unit. As regards a commu- 
nication signal failure, a specific important control signal 
is combined with a hardware signal to form a redundan- 
cy system, and the resulting signal combination is com- 
pared against a communication signal to assure relia- 
bility. 

[0003] A method for supervising on an inter-CPU level 
in control unit is disclosed by Japanese Patent Laid- 
open No. 11-190251, etc. A method for realizing a fail- 
safe mechanism of backup IC is disclosed by Japanese 
Patent Laid-open No. 8-147001, etc. A method for su- 
pervising a microcomputer (CPU) failure by a peripheral 
IC is disclosed by Japanese Patent Laid-open No. 
2001^312325. 

[0004] As a communication control system comes in- 
to more widespread use in all Industrial fields, it is more 
frequently used as a distributed control system. In an 
automobile, for instance, which is equipped with con- 
ventional communication control system comprising a 
plurality of control units, a warning lamp is mounted on 
a meter panel in order to inform a driver of a failure when 
the failure occurred in at least one of control units. And 
the turning on the warning lamp is performed by the con- 
trol unit in which the failure exists. 
[0005] However, when the idea of distributed control 
is adopted, a meter unit is incorporated into a commu- 
nication system so that the faulty unit transmits a failure 
signal to the meter unit. The meter unit detects the fail- 
ure signal and turns on a warning lamp. Further, in an 
ACC (Adaptive Cruise Control) system, an ACC control 
unit does not directly drive a throttle actuator or brake 
actuator for vehicle travel control, but transmits a torque 
command value and brake liquid pressure command 
value to an engine control unit and brake control unit 
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respectively via a communication bus. Thereby, the re- 
spective control units drive a throttle and brake in ac- 
cordance with received data. 

[0006] A problem here is that data communications 
s exchanged between component units of the communi- 
cation control system are transmitted/received via a mi- 
crocomputer within a respective control unit. To put it 
concretely, if a failure occurs in the microcomputer or 
peripheral, a failure in one control unit cannot accurately 
10 be transmitted to another control unit at all times. As a 
result, the system may continue~with its operation while 
a control failure is allowed to exist. 



SUMMARY OF THE INVENTION 
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[0007] The present invention is therefore made to 
solve the foregoing problem and it is an object of the 
invention to provide a communication control system for 
properly detecting a failure in any situation, permitting 
20 ' another control unit to detect a faulty unit, and accurately 
performing a fail-safe process, and to provide a method 
for supervising a failure in a communication control sys- 
tem. 

[0008] To achieve the above object, a communication 
25 control system of the present invention comprises a plu- 
rality of control units, which are connected via a com- 
munication bus to provide bidirectional communication. 
Each of the control units includes a failure detection 
means for detecting a failure when it occurs and gener- 
ic ating a failure detection signal, and a communication 
signal cutoff means, which operates according to a fail- 
ure detection signal generated by the failure detection 
means and cuts off the communication signal transmis- 
sion from the control units. 
35 [0009] According to the communication control sys- 
tem of the present invention, a failure of respective con- 
trol unit is detected by the failure detection means of its 
control unit, and the control unit generates a failure de- 
tection signal upon failure detection. The failure detec- 
40 tion signal activates the communication signal cutoff 
means, which then cuts off the communication signal 
transmission from the control unit. 
[001 0] Each control unit in the communication control 
system of the present invention comprises a main CPU, 
45 a supervisory IC for supervising the operation of the 
main CPU, and a power supply IC having a capability 
for detecting a constant-voltage failure. The failure de- 
tection means comprises the supervising IC and the 
power supply IC. When the communication control sys- 
50 tern is based on a CAN (Control Area Network) commu- 
nication system, each control unit includes a CPU used 
for a CAN controller and a CAN driver used for a com- 
munication interface. 

[0011] When a failure occurs in the communication 
55 control system of the present invention, a control unit, 
in which a failure is detected, cuts off the communication 
signal transmission. Therefore, another control unit, in 
which no failure is detected, can identify the failure oc- 
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currence in the above-mentioned faulty control unit in 
accordance with its own reception state. As a result, an- 
other control unit that has identified the failure occur- 
rence can operate a warning means connected to itself 
to notify an operator of the failure occurrence or stop the 
operation of the actuator targeted for control for fail-safe 
processing purposes. 

[0012] The communication signal cutoff means incor- 
porated in the communication control system of the 
present invention cuts off the communication signal 
transmission from a control unit, in which a failure is de- 
tected, by disconnecting the communication line (cutting 
off the communication signal transmission), by discon- 
necting the transmission line for the communication sec- 
tion in the control unit in which the failure is detected, 
by shutting off the power supply to the communication 
interface for the control unit in which the failure is de- 
tected, or by placing the communication interface for the 
communication section of the control unit, in which the 
failure is detected, in a sleep mode. 
[0013] To achieve the above object, the method for 
supervising a failure in the communication control sys- 
tem of the present invention serves as a failure super- 
vising method for the communication control system 
comprising a plurality of control units that are connected 
via a communication bus to provide bidirectional com- 
munication. This failure supervising method detects a 
failure in a control unit, cuts off the communication signal 
transmission from the control unit upon failure detection, 
and cuts off the communication signal transmission from 
the control unit, in which the failure is detected, for the 
purpose of causing another control unit to identify a fail- 
ure occurrence in the control unit, in which the failure is 
detected, in accordance with its own communication 
signal reception state. 

[001 4] The failure supervising method for the commu- 
nication control system of the present invention cuts off 
the communication signal transmission from a control 
unit in which a failure is detected. This communication 
signal transmission cutoff is recognized from the com- 
munication signal reception state of another control unit. 
Consequently, the failure occurrence in a control unit is 
recognized by another control unit 
[001 5] In the occurrence of a failure, the failure super- 
vising method for the communication control system of 
the present invention informs the operator of the failure 
by operating the warning means in a control unit which 
identified the failure occurrence and stops, for fail-safe 
processing purposes, the actuator controlled by a con- 
trol unit which the failure occurrence identified. 
[001 6] Upon failure detection, the failure supervising 
method for the communication control system of the 
present invention cuts off the communication signal 
transmission from a control unit in which a failure is de- 
tected, by disconnecting the communication line, by dis- 
connecting the transmission line for the communication 
section of the control unit in which the failure is detected, 
by shutting off the power supply to the communication 



interface for the communication section of the control 
unit in which the failure ts detected, or by placing in a 
sleep mode the communication interface for the com- 
munication section of the control unit in which the failure 
s is detected. 

BRIEF DESCRIPTION OF THE DRAWINGS 
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FIG. 1 is a schematic bloclTdiagram of one embod- 
iment of a communication control system according 
to the present invention. 

FIG. 2 is a data table illustrating one embodiment 
of a communication control system according to the 
present invention. 

FIG. 3 is a flowchart illustrating a fail-safe process 
of one embodiment of a communication control sys- 
tem according to the present invention. 
FIG. 4 is a flowchart illustrating a fail-safe process 
of one embodiment of a communication control sys- 
tem according to the present invention. 
FIG. 5 is a schematic block diagram of a first em- 
bodiment of a communication control system ac- 
cording to the present invention. 
FIG. 6 is a schematic block diagram of a second 
embodiment of a communication control system ac- 
cording to the present invention. 
FIG. 7 is a schematic block diagram of a third em- 
bodiment of a communication control system ac- 
cording to the present invention. 
FIG. 8 is a schematic block diagram of a fourth em- 
bodiment of a communication control system ac- 
cording to the present invention. 
FIG. 9 is a schematic block diagram of a fifth em- 
bodiment of a communication control system ac- 
cording to the present invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 



[0018] Preferred embodiments of the present inven- 
tion will now be described with reference to the accom- 
panying drawings. 

[0019] FIG. 1 illustrates a typical configuration of a 
*s communication control system according to one embod- 
iment of the present invention. The communication con- 
trol system includes a plurality of control units 1 0A, 1 0B- 
1 0N . The control u nits 1 0 A, 1 0B-1 ON are intercon nected 
via a communication bus 100 so as to provide bidirec- 
50 tional communication. These control units 10A, 10B- 
1 0N exchange data with each other and exercise control 
over actuators 41 , warning lamps 42, motors 43, and 
other components connected to their outputs. 
[0020] For the convenience of explanation, the 
« present embodiment assumes that control unit 1 0A (unit 
A) is faulty. Since all control units 10A, 10B-10N have 
substantially the same structure, control unit 10A will 
now be described herein. 
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[0021 J Control unit 1 0A includes a main CPU 1 1 , a su- 
pervising IC 12 for supervising the results of computa- 
tions performed by the main CPU 1 1 , a power supply IC 

13, Input Interface sections 14 for switch signal detec- 
tion, an output interface section 1 5 for outputting a signal 
to an actuator 41, and a communication driver 16 for 
exchanging communication signals with the communi- 
cation bus 100. 

[0022] The main CPU 11 includes input ports 17 for 
receiving a signal input from the input interface sections 

1 4, an output port 1 8 for outputting a signal to the output 
interface section 15, a communication port 19 for ex- 
changing communication signals with the communica- 
tion driver 16, a parallel port 20 for making a parallel 
connection to the supervising IC 12, a P_RUN signal 
output terminal 21 , and a RESET signal input terminal 
22. 

[0023] A 3-input AND circuit 30 is provided between 
the output port 1 8 and output interface section 1 5 of the 
main CPU 11. The 3-iniput AND circuit 30 selectively 
cuts off the actuator drive signal transmission from the 
output port 18 to the output interface section 15. 
[0024] A communication signal cutoff means 31 is 
provided between the communication port 19 and com- 
munication driver 16 of the main CPU 11. The commu- 
nication signal cutoff means 31 closes when the output 
of a 2-input AND circuit 32 is High and opens when the 
same output is Low. 

[0025] The power supply IC 13 includes a constant- 
voltage output terminal 26, a constant-voltage failure 
output terminal 27, a P_RUN signal input terminal 28 for 
receiving a RUN signal input from the P_RUN signal out- 
put terminal 21 of the main CPU 1 1 , and a RESET signal 
output terminal 29 for outputting a reset signal to the 
R ESET signal input terminal 22 of the main CPU 1 1 . The 
power supply IC 13 supervises the RUN signal that is 
output from the main CPU 11 . Upon failure recognition, 
the power supply IC 1 3 resets the main CPU 1 1 by out- 
putting a reset signal to the main CPU 11 from the RE- 
SET signal output terminal 29. 
[0026] The output (constant-voltage failure output sig- 
nal) from the constant-voltage failure output terminal 27 
of the power suppfy IC 1 3 is entered into the 3-input AND 
circuit 30 and 2-input AND circuit 32. When the con- 
stant-voltage value output from the power supply IC 13 
is abnormal, a normal judgment may not be formulated 
due to unstable operations of the main CPU 11 and su- 
pervising IC. 12. Therefore, the signal level changes 
from High to' Low for failure detection signaling purpos- 
es. 

[0027] Consequently, if the constant-voltage value 
output from the power supply IC 13 Is abnormal, a fail- 
safe process is performed so that the 3-input AND circuit 
30 cuts off the signal to be entered from the main CPU 
1 1 to the output interface section 15 for driving the ac- 
tuator 41 , and that the signal cutoff means 31 cuts off 
the signal to be entered from the communication port 19 
to the communication driver 16. 



[0028] The supervising IC 12 includes a parallel port 
23 for making a parallel connection to the main CPU 1 1 , 
a P_RUN signal input terminal 24 for receiving a RUN 
signal input from the P_RUN signal output terminal 21 
5 of the main CPU 11, and a system shut signal output 
terminal 25 for outputting a system shut signal as a fail- 
ure detection signal. 

[0029] The supervising IC 12 enters a system shut 
signal from the system shut signal output terminal 25 
10 into the 3-input AND circuit 30 and 2-input AND circuit 
32, enters a RUN signal from trie main CPU 11 to the 
P_RUN signal input terminal 24, and compares register 
computation results via the parallel port 23. If the com- 
parison reveals any failure, the supervising IC 1 2 Chang- 
's es the level of the system shut signal (failure detection 
signal) from High to Low. 

[0030] When a failure is recognized by the supervis- 
ing IC 12 in the above manner, a fail-safe process is 
performed so that the 3-input AND circuit 30 cuts off the 
20 signal to be entered from the main CPU 11 to the output 
interface section 1 5 for driving the actuator 41 , and that 
the signal cutoff means 31 cuts off the signal to be en- 
tered from the communication port 19 to the communi- 
cation driver 16. 
& [0031] When the communication signal is cut off ac- 
cording to a constant-voltage failure signal and system 
shut signal generated by the power supply IC 13 and 
supervising IC 12, another control unit (10B, 10C, etc.) 
detects such a communication signal cutoff and per- 

30 forms a fail-safe process. This fail-safe process will now 
be described with reference to FIGS. 2 and 3. 
[0032] FIG. 2 shows an example of communication 
data exchanged by the communication control devices 
shown in FIG. 1 . Individual communication data are as- 

35 signed unique ID numbers so that the data length, trans- 
mission intervals, and transmitting and receiving units 
are stipulated for each communication data. 
[0033] For this example, it will be assumed that 4-bit 
data having the data ID number 123 is transmitted from 

40 control unit 1 0A (unit A) to control unit 1 0B (unit B) and 
control unit 1 0C (unft C). When viewed from control units 
10B and 10C, the data having the data ID number 123 
is updated at 1 00 ms intervals and supervised by control 
units 10B and 10C. 

45 [0034] The 3-input AND circuit 30 ANDs the output 
from the output interface section 15 with the constant- 
voltage failure output from the power supply IC 1 3 even 
if the output port 1 8 is being controlled and the High level 
prevails. Therefore, when, for instance, the constant- 

50 voltage output varies from a specified value due to a fail- 
ure in the power IC 13 and the constant-voltage failure 
output signal goes Low, the control signal entered from 
the main CPU 11 of control unit 10A to the output inter- 
face section 15 of the same control unit is cut off and 

55 the operation of the actuator 41 comes to a stop. 

[0035] The communication signal cutoff means 31 al- 
so works in the same manner. When the constant-volt- 
age failure output signal of the power supply IC 1 3 goes 
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Low, the communication driver 1 6 for exchanging com- 
munication signals does not transmit any communica- 
tion signal because it is cut off due to ANDing by the 
2-input AND circuit 32. As a result, control units 1 0B and 
10C to 10N cannot recognize the data having the data 
ID number 123. 

[0036] Control unit 1 0B repeatedly executes a unit B 
fail-safe processing routine shown in FIG. 3 at predeter- 
mined time intervals. The unit B fail-safe processing rou- 
tine checks whether the data having the ID number 1 23 
is updated at predetermined communication intervals 
(stepS11). 

[0037] A generally employed means for checking 
whether the data is updated is to increment a data coun- 
ter on each reception cycle and supervise the data or 
perform computations on specified data (e.g., add data) 
on each communication cycle and check at predeter- 
mined intervals whether a specified computation result 
(e.g., addition result) is obtained. 
[0038] If the data update check reveals that the data 
is properly updated (the question in step S11 is an- 
swered "Yes"), a process is performed so as to keep a 
warning lamp 42 illuminated pt extinguish the warning 
lamp 42 (step S12). If, on the other hand, the data is not 
properly updated (the question in step S11 is answered 
"No"), the warning lamp 42 is illuminated (step S13) so 
as to notify the operator (vehicle driver) of a failure. 
[0039] In like manner, control unit 1 0C repeatedly ex- 
ecutes a unit C fail-safe processing routine shown in 
FIG. 4 at predetermined time intervals in order to check 
whether the data having the ID number 123 is updated 
at predetermined communication intervals (step S21). 
[0040] If the data update check reveals that the data 
is properly updated (the question in step S21 is an- 
swered "Yes"), a motor 43 is allowed to be driven (step 
S22). If, on the other hand, the data is not properly up- 
dated (the question in step S21 is answered "No"), the 
motor 43 is inhibited from being driven and brought to a 
forced stop (step S23) to perform a fail-safe process. 
[0041] When a failure occurs in a communication con- 
trol system, the communication signal cutoff means 31 
discontinues, as described above, the data transmis- 
sion from a control-signal-transmitting control unit (e.g., 
control unit 10A), in which the failure is encountered] 
and a receiving-end control unit (e.g., control unit 10B 
or IOC) detects that a data update is discontinued. This 
ensures that a fail-safe process can be properly per- 
formed. It is important in communication cutoff that the 
cutoff logic of a discontinuing end be confined to the re- 
cessive side so as to maintain the communications 
among the other units. 

[0042] Some embodiments of the communication sig- 
nal cutoff means 31 , which meet the aforementioned re- 
quirements, will now be described with reference to 
FIGS. 5 to 9. For the purposes of this description, a con- 
trol unit in which a failure is encountered will be referred 
to as a faulty unit 50, whereas a control unit other than 
the faulty unit is referred to the other unit 90. 



[0043] FIG. 5 illustrates a first embodiment of the 
present invention. It represents an embodiment that dis- 
connects the line between a CAN controller CPU 51 and 
a CAN driver 52 for providing communication interface 
s in a CAN (Control Area Network) communication sys- 
tem, which is based on a specific communications pro- 
tocol that is now increasingly used particularly in the au- 
tomotive and other industries. The CAN controller CPU 

51 and CAN driver 52 are interconnected with serial 
10 communication lines CAN-Rx and CAN-Tx. 

[0044] Upon detection of a constant-voltage failure, 
system shut signal, or other failure signal in a faulty unit 
50, a failure check means 53 outputs a High-level failure 
detection signal (FAIL signal). A transistor switching cir- 

f 5 cuit 54 then performs a switching operation so that serial 
communication line CAN-Tx, which is connected be- 
tween the output of the CAN controller 51 and the CAN 
driver 52, Is fixed at a Low level. Therefore, the CAN 
driver 52 remains in a no-signal output state. The other 

20 unit 90, which is connected to the communication bus 
(CAN bus) 100, detects this state and performs a fail- 
safe process. The other unit 90 also includes a CAN 
controller CPU 91 and a CAN driver 92. The CAN driver 

52 of the faulty unit 50 is connected to the CAN driver 
25 92 of the other unit 90 with CAN-H and CAN-L terminals. 

[0045] When the CAN driver 52 of the faulty unit 50 
stays in a no-signal output state, the other unit 90 illu- 
minates a warning lamp 96 that is connected to its own 
output interface section 95. In the present embodiment, 
30 a communication cutoff circuit can be formed within a 
unit without using a high-side driver or other expensive 
device. Therefore, a significant cost increase does not 
result. 

[0046] FIG. 6 illustrates a second embodiment, which 
35 includes a high-side driver 55, which is provided in a 
power supply circuit for the CAN driver 52 of the faulty 
unit 50. This high-side driver 55 shuts off the power (con- 
stant voltage Vcc) for the CAN driver 52. When a con- 
stant-voltage failure, system shut signal, or other failure 
40 signal in the faulty unit 50 is detected by the failure check 
means 53 in the present embodiment, the failure check 
means 53 also outputs a High-level failure detection sig- 
nal. 

[0047] The transistor switching circuit 54 then per- 
45 forms a switching operation so that the high-side driver 
55, which supplies power to the CAN driver 52, changes 
its state so as to stop the power supply to the CAN driver 
52. As a result, the CAN driver 52 stays in a no-signal 
output state. The other unit 90, which is connected to 
50 the communication bus 1 00, detects this state and then 
performs a fail-safe process In the same manner as with 
the first embodiment shown in FIG. 5. 
[0048] In the second embodiment, the cost is relative- 
ly high because the high-side driver 55 turns off the CAN 
55 driver 52 instead of disconnecting the line between the 
CAN controller CPU 51 and CAN driver 52. However, it 
is not necessary to insert a resistor or the like into a se- 
rial communication line between the CAN controller 
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CPU 51 and CAN driver 52. Therefore, no design chang- 
es need be made to compensate for a decreased com- 
munication speed or the like. The present embodiment 
supports high-grade specifications for high-speed com- 
munications. 

[0049] FIG. 7 illustrates a third embodiment, which 
disconnects the communication bus (CAN bus) 1 00 out- 
side the faulty unit 50. In the present embodiment, the 
communication bus 100 is provided with a relay switch 
61 . The relay switch 61 opens/closes in accordance with 
the on/off operation of the transistor switching circuit 54. 
[0050] When a constant-voltage failure, system shut 
signal, or other failure signal in the faulty unit 50 is de- 
tected by the failure check means 53 in the present em- 
bodiment, the failure check means 53 also outputs a 
High-level failure detection signal. The transistor switch- 
ing circuit 54 then performs a switching operation so as 
to open the relay switch 61 , which is provided externally 
to the units and mounted on the communication bus 1 00 
connected between the CAN driver 52 and the other unit 
90. As a result, the relay switch 61 disconnects the com- 
munication bus 100. 

[0051] When the communication bus 100 is discon- 
nected as described above, no more data transmission 
from the faulty unit 50 exists on the communication bus 
100 so that a no-signal output state prevails. The other 
unit 90, which is connected to the communication bus 
100, detects this state and then performs a fail-safe 
process in the same manner as with the embodiment 
shown in FIG. 5. In the third embodiment, existing con- 
trol units may be used without being redesigned be- 
cause the relay switch 61 is added externally to the 
units. 

[0052] FIG. 8 illustrates a fourth embodiment. In the 
present embodiment, bias line b for a switching transis- 
tor 57, which is connected to the output of a CAN-Tx 
register 56 for a CAN controller CPU 51 \ is independ- 
ently positioned outside the CPU package so that the 
voltage of bias line b is controlled by the switching circuit 
54. 

[0053] When a constant-voltage failure, system shut 
signal, or other failure signal in the fautty unit 50 is de- 
tected by the failure check means 53 in the present em- 
bodiment, the failure check means 53 also outputs a 
High-level failure detection signal. The transistor switch- 
ing circuit 54 then performs a switching operation so as 
to shut off the bias supply to the output of the CAN-Tx 
register 56 incorporated in the CAN controller CPU 51 '. 
As a result, the CAN driver 52 stays in a no-signal output 
state. The other unit 90, which is connected to the com- 
munication bus 100, detects this state and then per- 
forms a fail-safe process in the same manner as with 
the embodiment shown in FIG. 5. In the fourth embodi- 
ment, bias line b, which is connected to the output of the 
CAN-Tx register 56, is merely positioned outside the 
CAN controller CPU 51 \ Since no other devices or parts 
are required, the cost does not increase. 
[0054] FIG. 9 illustrates a fifth embodiment, in which 



a CAN driver 52' incorporates a sleep/standby function. 
As is well known, the sleep/standby function reduces the 
system's power consumption during the interval be- 
tween the instant at which the system is stopped and 
s the instant at which the system is later restarted, by re- 
taining the data stored in a RAM and various other data 
for use in a system restart. 

[0055] When the sleep/standby terminal goes Low, 
the CAN driver 52' enters a sleep/standby mode. In the 
io sleep/standby mode, the CAN driver 52* stops output- 
ting data to the CAN bus (communication bus 100) and 
performs only a read operation (to read data on the CAN 
bus) for the CAN controller CPU 51 . The sleep/standby 
terminal of the CAN driver 52* goes High or Low in ac- 

*s cordance with the transistor switching circuit 54. 

[0056] When the failure check means 53 detects a 
constant-voltage failure, system shut signal, or other 
failure signal in the faulty unit 50 and then outputs a 
High-level failure detection signal, the transistor swltch- 

20 ing circuit 54 performs a switching operation so that the 
sleep/standby terminal of the CAN driver 52* goes Low. 
This places the CAN driver 52* in the sleep/standby 
mode and inhibits the CAN-Rx signal output from the 
CAN controller CPU 51 from being positioned on the 
communication bus 100. Consequently, no more data 
transmission from the faulty unit 50 exists on the com- 
munication bus 1 00 so that a no-signal output state pre- 
vails. The other unit 90, which is connected to the com- 
munication bus 100, detects this state and then per- 

30 forms a fail-safe process in the same manner as with 
the embodiment shown in FIG. 5. 
[0057] In the present embodiment, the existing CAN 
driver 52 having the sleep/standby function can be con- 
tinuously used so that no other devices or parts are re- 

35 quired. Therefore, the cost does not increase. 

[0058] While the present invention has been de- 
scribed in detail in terms of preferred embodiments (five 
embodiments), it should be understood that the inven- 
tion is not limited to those preferred embodiments, and 

40 that various design changes can be made without de- 
parture from the scope and spirit of the invention as set 
forth in the appended claims. 

Industrial Applicability 

45 

Effect of the Invention 

[0059] The present invention can properly detect a 
failure in a distributed control system for communica- 
50 tions no matter what failure is encountered , enable a unit 
to detect the existence of any faulty unit, and accurately 
perform a fail-safe process. 



S5 Claims 

1 . A communication control system, comprising a plu- 
rality of control units (1 OA-N, 50, 90) which are con- 
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nected via a communication bus (100) to provide 
bidirectional communication, 

wherein each of said control units includes a 
failure detection means (12, 13) for detecting a fail- 
ure when said failure occurs and generating a fail- 5 
ure detection signal, and a communication signal 
cutoff means (30-32, 54) which operates according 
to a failure detection signal generated by said failure 
detection means and cuts off the transmission of a 
communication signal from the control unit detect- 10 
ing the failure. 

2. The communication control system according to 
claim 1 , wherein each of said control units compris- 
es a main CPU (11, 51, 5V), a supervisory IC (12) is 
for supervising the operation of said main CPU, and 

a power supply IC (13) having a capability for de- 
tecting a constant-voltage failure, wherein the fail- 
ure detection means (12, 1 3) comprises said super- 
visory IC and said power supply IC. 20 

3. The communication control system according to 
claim 1, said communication control system is 
based on a CPU used for a CAN controller and a 
CAN driver (15, 16) used for a communication in- 25 
terface. 

4. The communication control system according to 
claim 1 , said communication control system being 
organized so that a failure occurrence of at least 30 
one of said control units can be identified by another 
control unit, in which no failure is detected, in ac- 
cordance with the communication signal reception 
state in said another control unit. 

35 

5. The communication control system according to 
claim 1 , said communication control system being 
organized so that a failure occurrence of at least 
one of said control units can be identified by another 
control unit, in which no failure is detected, in ac- *o 
cordance with the communication signal reception 
state in said another control unit, wherein each of 
said control-units is equipped with a warning means; 
said another control unit, which has identified said 
failure occurrence, causes the warning means of it- 45 
self to operate when the failure occurred in any of 
said control units. 

6. The corhmunication control system according to 
claim 1 , said communication control system being so 
organized so that a failure occurrence of at least 
one of said control units can be identified by another 
control unit, in which no failure is detected, in ac- 
cordance with the communication signal reception 
state in said another control unit, wherein said an- ss 
other control unit, which has identified said failure 
occurrence; causes the operation of an actuator op- 
erated by said another control unit to stop when the 
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failure occurred in any of said control units. 

7. The communication control system according to 
claim 1 , wherein said communication signal cutoff 
means cuts off the transmission of a communication 
signal from the control unit, in which a failure is de- 
tected, by disconnecting the communication line. 

8. The communication control system according to 
claim 1 , wherein said communication signal cutoff 
means cuts off the transmission of a communication 
signal from the control unit, in which a failure is de- 
tected, by disconnecting the transmission line of a 
communication section within said control unit. 

9. The communication control system according to 
claim 1 , wherein said communication signal cutoff 
means cuts off the transmission of a communication 
signal from the control unit, in which a failure is de- 
tected, by shutting off the power supply to a com- 
munication interface of said control unit. 

10. The communication control system according to 
claim 1 , wherein said communication signal cutoff 
means cuts off the transmission of a communication 
signal from the control unit, in which a failure is de- 
tected, by placing in a sleep mode the communica- 
tion interface of said control unit. 

11. A method for supervising a failure in a communica- 
tion control system comprising a plurality of control 
units which are connected via a communication bus 
to provide bidirectional communication, the method 
comprising the steps of: 

detecting a failure by a control unit in which the 
failure occurred; and 

cutting off, upon failure detection, the transmis- 
sion of a communication signal from a control 
unit in which the faHure is detected. 

12. The method according to claim 1 1 , further compris- 
ing the step of identifying a failure occurrence in 
said control unit by another control unit, in which no 
failure occurs, from the communication signal re- 
ception state in accordance with another control 
unit. 

13. The method according to claim 1 1 , further compris- 
ing the steps of: 

Identifying a failure occurrence in said control 
unit by another control unit, in which no failure 
occurs, in accordance with the communication 
signal reception state in said another control 
unit; and 

operating a warning means of said anothercon- 
trol unit which has identified said failure occur- 
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rence when the failure occurred in any of said 
control units. 

14. The method according to claim 11 , further compris- 
ing the steps of: 

identifying a failure occurrence in said control 
unit by another control unit, in which no failure 
occurs, in accordance with the communication 
signal reception state in said another control 
unit; and 

stopping an actuator controlled by said another 
control unit which has identified said failure oc- 
currence when the failure occurred in any of 
said control units. 



ing the steps of: 

identifying a failure occurrence in said control 
unit by another control unit, in which no failure 
occurs, from the communication signal recep- 
tion state in said another control unit; and 
cutting off the transmission of a communication 
signal from the control unit, in which a failure is 
detected, by placing in a sleep mode the com- 
munication interface of said control unit. 



15 



1 5. The method according to claim 1 1 , further compris- 
ing the steps of: 

identifying a failure occurrence in said control 20 
unit by another control unit, in which no failure 
occurs, in accordance with the communication 
signal reception state in said another control 
unit; and 

cutting off the transmission of a communication 25 
signal upon failure detection by disconnecting 
the communication line. 



16. The method according to claim 1 1 , further compris- 
ing the steps of: 30 

identifying a failure occurrence in said control 
unit by another control unit, in which no failure 
occurs, in accordance with the communication 
signal reception state in said another control 35 
unit; and 

cutting off, upon failure detection, the commu- 
nication signal transmission by disconnecting 
the transmission line of a communication sec- 
tion in said control unit in which a failure is de- 40 
tected. 



17. The method according to claim 1 1 , further compris- 
ing the steps of: 

45 

identifying a failure occurrence in said control 
unit by another control unit, in which no failure 
occurs, from the communication signal recep- 
tion state in said another control unit; 
shutting off, upon failure detection, the power so 
supply to a communication interface of the 
communication section in said control unit in 
which a failure is detected; and 
cutting off the communication signal transmis- 
sion from the control unit in which a failure is 55 
detected. 

1 8. The method according to claim 1 1 , further compris- 
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